Current SSL certificates have expired. This patch contain new ones
valid for 10 years and i've updated the ssl-ipv*.conf with the command
to create certificates with this expiration time.
Change-Id: Iaf4164149e3e28de8cf0367bc98e3e649bd10f87
A recent update to urllib tightened some checks around SSL [1].
This prompted an update to Devstack in order to work properly [2].
Jobs running into this problem without having a SubjectAltName
provided will see an error that looks like:
SSLError: hostname '127.0.0.1' doesn't match either of
'127.0.0.1', 'localhost'
Let's also update the certificates to provide the SubjectAltName
and provide a way to easily update the certificates if required
in the future.
[1]: df9d503a8e/CHANGES.rst (118-2016-09-26)
[2]: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=69e3c0aac99981f17c76c22111e5c397824b8428
Change-Id: I94a586b333ba6a99ef831c853a19ab127b502d6f
A new version of python urllib send us ugly warnings because our SSL
certificates don't have SubjectAltNames.
I re-generated some SSL certs with it, for both ipv4 & ipv6 deployments.
Change-Id: Ibed9f23869de9d2871c3d25e9bd24df809aa4c16
* Deploy Self-Signed Certificates for both IPv6 & IPv4 deployments.
* Disable IPv6 for RabbitMQ now, for SSL reasons, will be enabled again
later in a next iteration.
* Deploy Ironic API under WSGI instead of eventlet.
* Switch Glance API, Ironic API and Keystone to SSL.
* Configure Tempest with SSL endpoints when needed.
* Reduce the Ironic tests because of [1].
[1] https://bugs.launchpad.net/ironic/+bug/1554237
Note #1: puppet-swift, and puppet-cinder will require some work to support SSL, so it's not
implemented in this patch.
Note #2: we don't enable SSL for Neutron because of
https://bugs.launchpad.net/neutron/+bug/1514424
Change-Id: Ib2b5289b6f5e82f43cf60dee3152b2c2ddd5a014